The matter in question is no longer if you will encounter a breach but undoubtedly when you will experience it, which is why the key element to a robust cybersecurity incident response function starts with better log management. Cybersecurity logs are your window into the past, allowing you to see what’s happening in your environment. During an incident, they are your only source of truth, enabling you to make decisions based on fact.
A log should be searchable and accessible, allowing you to react fast when an incident occurs. How confident would you be responding to a security incident in good time based on your log management? By utilising a System of Record to store your logs, you can collect as much data as possible to start proactively building timelines on what’s happening and improve your posture and position in your organisation.
In the context of cyber security, your System of Record (SOR) is a ‘bucket’ of data that illustrates your IT ecosystem and hygiene posture at any given point in time. It allows you to retain reliable data quality for production and governance requirements and supports technical controls and compliance analytics, as well as incident investigations. We believe System of Record is such an integral practice, we’ve included it as one of our 7 steps to a forensic level focus.
In Secrutiny’s experience, it typically takes around 150 days to identify a breach, and in IBM’s cost of a data breach report 2021, they suggest: ‘On average, it takes 256 days to identify and contain a breach’. With these numbers, why would you only retain logs for 90 days? The evidence shows that for a better-equipped incident response function, the requirement is to obtain between 1-2 years of log data. However, in performance-driven industries, like Automotive, the storage retention policy may be even longer… but at what cost?
Storing log data for longer periods of time can become expensive as the nature of collecting this telemetry is complex and wide. Volumes can become overwhelming, so to have the best chance of being prepared for a security incident, your SOR needs to be tolerant of managed security provider changes. Traditional SIEM’s will assess the cost based on data storage used, which can become counter-productive for businesses that might have to decide between storing data they might not use, or potentially losing key log information, based on cost. However, innovative SIEM providers such as Google Chronicle assess cost based on the number of users, not the amount of data stored, which is a huge win for companies looking to re-assess their log management strategy.
Do you keep your logs safe, or do you make your logs keep you safe? We’re starting to see many companies begin the process of keeping logs safe, but not actually using the log data proactively. Ultimately, logs are there so you can determine what’s happening in your environment, identify indicators of compromise and assist you mid-investigation by performing targeted searches. Through our incident response team, we’re seeing more ransomware threat actors not only compromising your data, but also removing the evidence of their activity by deleting the logs.
How assured are you that you would identify the issue before a customer, partner or investor tells you about it? Do you have your fingers crossed behind your back when you report:
- ‘We have NO evidence of customer data loss’
- ‘Our critical systems were NOT breached’
- ‘We have thoroughly investigated the breach’
The gathering, storing, and searching of logs is a question of integrity, fidelity and velocity allowing you to answer “yes” when asked the above.
If you’d like to learn more about how to manage your security logs better, please feel free to get in touch.